b" U.S. DEPARTMENT OF COMMERCE\n           Office of Inspector General\n\n\n\n\n      NATIONAL OCEANIC AND\nATMOSPHERIC ADMINISTRATION\n\n                  Progress Being Made in\n  Certification and Accreditation Process,\n       but Authorizing Officials Still Lack\n  Adequate Decision-making Information\n\n            Final Report No. OSE-18019/September 2006\n\n\n\n\n             PUBLIC RELEASE\n\n\n\n\n                               Office of Systems Evaluation\n\x0c\x0c\x0cU.S. Department of Commerce                                                                            Final Report OSE-18019\nOffice of Inspector General                                                                                    September 2006\n\n                                                         CONTENTS\n\nSummary .............................................................................................................................. i\nIntroduction......................................................................................................................... 1\nObjectives, Scope, and Methodology ................................................................................. 3\nFindings and Recommendations ......................................................................................... 5\nI.         NOAA Has Enhanced System Security Plans and Risk Assessments, but\nAdditional Improvements Are Needed ............................................................................... 5\n      A. Security Plans Improved, but System Descriptions Need to Be More Accurate.... 5\n      B. Risk Assessments Provided More Useful Information........................................... 6\n      Recommendations......................................................................................................... 8\nII.        Security Control Assessments Were Not Sufficient for Effective Certification... 10\n      A. Vulnerability Scanning Was Incomplete and Ineffective ..................................... 10\n      B. Security Control Assessments Did Not Provide Evidence of Effective\n           Management, Operational, and Technical Controls ............................................. 13\n      Recommendations....................................................................................................... 15\nAPPENDIX: NOAA\xe2\x80\x99s Response..................................................................................... 17\n\x0cU.S. Department of Commerce                                          Final Report OSE-18019\nOffice of Inspector General                                                  September 2006\n\n                                      SUMMARY\n\nThis report presents the findings from our FY 2005 Federal Information Security\nManagement Act (FISMA) review that relate to important parts of NOAA\xe2\x80\x99s certification\nand accreditation (C&A) process: 1) system security plans/risk assessments, and 2)\nsecurity control assessments.\n\nSystem certification is the comprehensive assessment of security controls implemented in\nan information system. It determines the extent to which controls are implemented\ncorrectly, operating as intended, and meeting the security requirements for the system.\nAccreditation is management\xe2\x80\x99s formal authorization to allow a system to operate and\nincludes an explicit acceptance of the risk posed by the identified remaining\nvulnerabilities.\n\nFor FY 2005, we reviewed the C&A documentation for three NOAA systems: the Search\nand Rescue Satellite-aided Tracking system (SARSAT), the Polar Orbiting Operational\nEnvironmental Satellite Ground System (POES), and the Office of Response and\nRestoration Seattle Local Area Network (Seattle LAN). Each of these systems was\ncertified and accredited as part of NOAA\xe2\x80\x99s C&A improvement effort.\n\nAs we noted in our September 2005 Semiannual Report to Congress, NOAA had\nsignificantly improved risk assessments, security plans, and security control assessments.\nOur review found, however, that further enhancement is needed to improve its C&A\nprocess. Our FY 2005 independent FISMA evaluation reported that C&A packages for\nSARSAT and the Seattle LAN were compliant with FISMA, but POES was not.\nHowever, even for SARSAT and the Seattle LAN, several important aspects of the C&A\nprocess need to be improved. We have prepared this report to highlight problems with the\nSARSAT, POES, and the Seattle LAN C&As that we have seen in other NOAA packages\nin prior years and were still evident in our review of five NOAA systems earlier in FY\n2006.\n\nNOAA has categorized SARSAT and POES as high-impact systems because a security\nbreach would potentially have severe or catastrophic adverse effects. The certification\nand accreditation of SARSAT and POES should therefore reflect the highest degree of\nrigor. The Seattle LAN, as a moderate impact system, would be held to a somewhat lesser\nstandard but a significant degree of due diligence should be manifest in the C&A process.\n\nNOAA Has Enhanced System Security Plans and Risk Assessments, but Additional\nImprovements Are Needed.\n\nSecurity plans form the basis for certification activities by outlining the security\nrequirements for a system and the controls put in place to meet the requirements. NOAA\nsecurity plans were improved from those we saw in our FY 2004 review with more\naccurate accreditation boundaries and better identification of software components and\ninterconnections. But the plans failed to accurately depict network components\xe2\x80\x94raising\nthe possibility that certification efforts may not adequately examine such devices. Current\n\n\n\n                                             i\n\x0cU.S. Department of Commerce                                         Final Report OSE-18019\nOffice of Inspector General                                                 September 2006\n\ninterconnection agreements were not in place for POES and SARSAT. Without formal\ninterconnection agreements, there are insufficient mechanisms for enforcing security\nrequirements on external systems with which NOAA systems are connected, posing\nincreased risks to the agency and agency operations.\n\nRisk assessments for all three systems provided useful information for NOAA system\nowners to determine what appropriate security controls should be, although we noted\nsome flaws in the assessment methods. Often, the threats and vulnerabilities assessed\nwere vague or broad generalizations and the analysis at times confused the definitions of\nthe terms. The analysis of how controls may mitigate specific adverse events was also\nlacking. Under recent NIST standards and guidance for selecting security controls, risk\nassessments should focus on tailoring the security control baseline as well as analyzing\nany resource-intensive changes to the security features of the system. (See page 5.)\n\nWe recommend NOAA ensure security plans provide a complete and accurate account of\nsystem components and interconnection agreements are in place. And NOAA should\nensure risk assessments are used to tailor security control baselines and provide analysis\nand justifications for resource-intensive changes to the security features of the\ninformation system. (See page 8.)\n\nSecurity Control Assessments Were Not Sufficient for Effective Certification.\n\nNOAA\xe2\x80\x99s use of vulnerability scans to assess the adequacy of security controls was\nincomplete and ineffective. NOAA\xe2\x80\x99s designated scanning tool was unable to evaluate\nmany network components for all three systems. POES scans were successfully\ncompleted on only 4 of 14 components residing on its development network, while the\noperational network was not scanned. SARSAT scans were also limited\xe2\x80\x94key\ncomponents such as firewalls, routers, and switches were not scanned prior to the\naccreditation. Additional scans of POES and SARSAT conducted in response to our\nconcerns were also incomplete.\n\nNOAA did not analyze or correct potentially serious vulnerabilities on the Seattle LAN.\nAlthough two additional scanning tools were used and identified a significant number of\nvulnerabilities, the vulnerabilities were not analyzed or corrected prior to the\naccreditation decision, and they were not identified to the authorizing official.\n\nAlthough POES and SARSAT are high impact systems that require penetration testing,\nsuch testing was not performed. Penetration testing can provide an indication of how\nvulnerable an organization\xe2\x80\x99s network is and the level of damage that can result.\n\nSecurity control assessments did not provide evidence of effective management,\noperational, and technical controls. POES, SARSAT, and the Seattle LAN control\nassessments covered only a subset of the minimum security controls described in NIST\nguidance. Generally, the C&A packages did not include specific procedures for\nevaluating the controls or adequate documentation of the results. Moreover, the approach\nused to select network components for technical control assessments did not provide for\n\n\n\n                                            ii\n\x0cU.S. Department of Commerce                                           Final Report OSE-18019\nOffice of Inspector General                                                   September 2006\n\ncomplete testing of all operating system variants running on servers, workstations,\nlaptops, routers, and switches. (See page 9.)\n\nWe recommend NOAA ensure comprehensive vulnerability scanning, analyze and\ndocument scan results, and plan and implement penetration testing on high-impact\nsystems. NOAA should comprehensively test all management, operational, and technical\ncontrols, perform technical control tests on each operating system variant, and clearly\ndocument remaining vulnerabilities for the authorizing official. (See page 14.)\n\nSummary of NOAA\xe2\x80\x99s Response\n\nIn response to our draft report, NOAA concurred with most of our recommendations, but\ntook issue with two of them. In regards to our recommendation that component listings\nbe comprehensive and consistent with results of network scanning, NOAA agreed that\nsecurity plans should provide an accurate and comprehensive listing of components.\nHowever, the bureau argued that \xe2\x80\x9cperfect line-by-line consistency between a\nvulnerability scan and the component listing, while desirable, is seldom achievable,\xe2\x80\x9d and\nprovided two reasons why components would not be scanned due to technical or\noperational circumstances. The bureau stated that to ensure vulnerability scanning is as\ncomprehensive as possible, it would \xe2\x80\x9canalyze and explain identified discrepancies\nbetween component listings and vulnerability scans performed during certification\ntesting.\xe2\x80\x9d\n\nNOAA took exception with our recommendation pertaining to the sampling approach\nused to test systems, based on the bureau\xe2\x80\x99s interpretation of the recommendation to be\nmore exhaustive than we had intended. The bureau suggested we change the wording of\nthe recommendation by replacing the word \xe2\x80\x9cidentically\xe2\x80\x9d with \xe2\x80\x9cuniquely.\xe2\x80\x9d\n\nNOAA recommended one factual change to our report, pertaining to the vulnerabilities\ndiscovered by scans of the Seattle LAN. The bureau recommended we change one\nsentence to reflect the fact that the vulnerabilities were addressed on the system\xe2\x80\x99s Plan of\nAction and Milestones (POA&M) \xe2\x80\x9cthat covered all risks accepted by the authorizing\nofficial.\xe2\x80\x9d It noted that the POA&M entries, \xe2\x80\x9cgenerally stated that vulnerabilities were\ndiscovered by scanners and needed correcting and/or mitigating.\xe2\x80\x9d\n\nNOAA made the point that the C&A activities for the three systems we reviewed had\nbegun 18 months prior and were completed 14 months ago. NOAA stated that it made\nimmediate changes in its C&A process subsequent to our December 2005 briefing on the\nsame subject matter. The bureau also stated that it has now fully adopted NIST guidance,\nimplemented enhanced internal review processes, added C&A support staff, and\nincreased risk analysis and reporting requirements. NOAA leadership has worked, \xe2\x80\x9cto\nraise awareness of the resources required to implement and maintain an effective and\ncompliant C&A program.\xe2\x80\x9d As such, the bureau believes it has implemented most of our\nrecommendations and will continue to take steps to, \xe2\x80\x9censure program effectiveness.\xe2\x80\x9d\n\n\n\n\n                                             iii\n\x0cU.S. Department of Commerce                                           Final Report OSE-18019\nOffice of Inspector General                                                   September 2006\n\n\n\nOIG Comments\n\nIn regards to our recommendation that component listings should be comprehensive and\nconsistent with results of network scanning, we concede NOAA\xe2\x80\x99s point that perfect line-\nby-line consistency is a difficult task. However, the reasons NOAA provided really\ndescribe two scenarios where the scans would not identify components included in the\nsystem security plan. Our review also found the opposite: scans identified components\nthat were not included in the security plan, thus drawing into question the completeness\nof the system description. This is important because it raises the possibility that other\nrequired testing (beyond vulnerability scanning) will not be performed on devices\nomitted from the security plan, but which are, in fact, a part of the system. That said, we\nare satisfied with NOAA\xe2\x80\x99s intention to analyze and explain discrepancies between scans\nand component listings, so long as the outcome achieves an accurate depiction of the\nsystem and leads to comprehensive certification testing.\n\nWith respect to our recommendation pertaining to the sampling approach used to test\nsystems, we have changed the wording according to NOAA\xe2\x80\x99s suggestion. As a result, the\nbureau should fully concur with our recommendations.\n\nIn regards to the scan results for the Seattle LAN, we have changed the sentence on page\n11 according to NOAA\xe2\x80\x99s suggestion. However, we have also added a sentence indicating\nthat the POA&M entries, which were general statements that vulnerabilities were\ndiscovered by scans, were not sufficient to describe the nature of the risks found by the\nscans and that such is more appropriately described in the security assessment report.\n\nLastly, while we recognize that this report details findings from work NOAA did over a\nyear ago, its publication was motivated by preliminary reviews of five additional C&A\npackages early in FY 2006, which identified similar problems. Our hope is that\ndocumenting our concerns in this report will further facilitate correction of these issues,\nmany of which have persisted for some time. We are generally pleased with NOAA\xe2\x80\x99s\nresponse and feel that we have made changes to the draft which should rectify the issues\nNOAA raised. We look forward to the output from NOAA\xe2\x80\x99s improved C&A process\nincluding the enhanced security that should result.\n\nNOAA\xe2\x80\x99s written response is included in its entirety as an appendix to this report.\n\n\n\n\n                                             iv\n\x0cU.S. Department of Commerce                                            Final Report OSE-18019\nOffice of Inspector General                                                    September 2006\n\n                                    INTRODUCTION\n\nPursuant to the Federal Information Security Management Act (FISMA), we evaluated\nselected aspects of NOAA\xe2\x80\x99s information security program in FY 2005. This report\npresents our findings that relate to important parts of NOAA\xe2\x80\x99s certification and\naccreditation process: 1) system security plans/risk assessments, and 2) security control\nassessments.\n\nNOAA\xe2\x80\x99s C&A Improvement Effort\n\nOn February 24, 2005, the Department CIO issued a plan to eliminate Commerce\xe2\x80\x99s IT\nsecurity material weakness by having improved C&A packages by the end of FY 2005\nfor all national-critical systems, along with a substantial number of mission-critical\nsystems. All Commerce systems were to have acceptable quality C&A packages by the\nend of FY 2006. Accordingly, in FY 2005 NOAA began an effort to improve its\ncertification and accreditation process.\n\nFor FY 2005, we reviewed the certification and accreditation of three NOAA systems:\nthe Search and Rescue Satellite-aided Tracking system (SARSAT), the Polar Orbiting\nOperational Environmental Satellite Ground System (POES), and the Office of Response\nand Restoration Seattle Local Area Network (Seattle LAN). Each of these systems was\ncertified and accredited as part of NOAA\xe2\x80\x99s improvement effort.\n\nAs we noted in our September 2005 Semiannual Report to Congress, NOAA had\nsignificantly improved risk assessments, security plans, and security control assessments.\nOur review found, however, that while NOAA made progress, further enhancement is\nneeded to improve its C&A process. Our FY 2005 independent FISMA evaluation\nreported that C&A packages for SARSAT and the Seattle LAN were compliant with\nFISMA, but POES was not. However, even for SARSAT and the Seattle LAN, several\nimportant aspects of the C&A process need to be improved. We have prepared this report\nto highlight problems with the SARSAT, POES, and the Seattle LAN C&As that we have\nseen in other NOAA packages in prior years and were still evident in our review of five\nNOAA systems 1 earlier in FY 2006. We have briefed NOAA on our findings for these\nfive systems, some of which are scheduled to be resubmitted for our FY 2006 FISMA\nevaluation.\n\nSecurity categorizations of NOAA systems\n\nFIPS Publication 199, Standards for Security Categorization of Federal Information and\nInformation Systems, defines three levels of potential impact on organizations or\nindividuals in the event of a security breach\xe2\x80\x94high, moderate, and low. NOAA\ncategorizes SARSAT and POES as high-impact systems because the loss of\n\n1\n NOAA0200 Network Operations Center (NOC), NOAA0300 Message Operations Center (MOC),\nNOAA3070 Geophysical Fluid Dynamics Laboratory, NOAA6205 Physical Oceanographic Real-Time\nSystem (PORTS) and National Water Level Observation Network (NWLON), and NOAA6501 Office of\nCoast Survey (OCS) Nautical Charting System.\n\n\n                                              1\n\x0cU.S. Department of Commerce                                                  Final Report OSE-18019\nOffice of Inspector General                                                          September 2006\n\nconfidentiality, integrity, or availability is expected to have severe or catastrophic effects.\nThe Seattle LAN is categorized as a moderate-impact system because a security breach\nwould have a lesser but still serious adverse effect. A security breach of a low impact\nsystem would be expected to have a limited adverse effect.\n\nThe security categorization of a system sets the initial baseline of minimum security\ncontrols found in NIST SP 800-53, Recommended Security Controls for Federal\nInformation Systems, which is now required under the Department\xe2\x80\x99s IT security policy,\nupdated in June 2005. 2 Security categorization is important not only for the resulting\ncontrol requirements, it should also guide the rigor, intensity, and scope of all information\nsecurity-related activities\xe2\x80\x94including those that constitute the certification and\naccreditation process.\n\nAs high impact systems, the certification and accreditation of SARSAT and POES should\nreflect the highest level of effort in defining security requirements and implementing\ncontrols, assessing the effectiveness of those controls, and proactively identifying and\nmanaging security weaknesses. The Seattle LAN, as a moderate impact system, would be\nheld to a somewhat lesser standard but a significant degree of due diligence should be\nmanifest in the C&A documentation.\n\nThe goal of certification and accreditation\n\nSystem certification and accreditation is a key element of agency information technology\n(IT) security programs. Certification is the comprehensive assessment of security controls\nimplemented in an information system. It determines the extent to which controls are\nimplemented correctly, operating as intended, and meeting the security requirements for\nthe system. Through the formal assessment of controls, the system certifier identifies\nremaining vulnerabilities\xe2\x80\x94vulnerabilities not eliminated by the implementation of\nsecurity controls.\n\nAccreditation is management\xe2\x80\x99s formal authorization to allow a system to operate and\nincludes an explicit acceptance of the risk posed by the identified remaining\nvulnerabilities. Through accreditation, senior agency officials take responsibility for the\nsecurity of the systems over which they have management, operational, and budget\nauthority and for any adverse impacts should a breach in security occur.\n\n\n\n\n2\n  For FY 2005, systems had the option of meeting the minimum controls in 800-53 or NIST SP 800-26,\nSecurity Self- Assessment Guide for Information Technology. All three NOAA systems we reviewed\ndescribed the 800-53 controls in their security plans or control assessments. POES and SARSAT also\nincluded controls from 800-26. Federal Information Processing Standard Publication 200, Minimum\nSecurity Requirements for Federal Information Systems, now makes the minimum security controls\nspecified in NIST SP 800-53 mandatory (non-waiverable) for federal agency systems.\n\n\n                                                  2\n\x0cU.S. Department of Commerce                                                       Final Report OSE-18019\nOffice of Inspector General                                                               September 2006\n\n                      OBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe purpose of this report is to discuss key findings for NOAA from our FY 2005\nindependent FISMA evaluation and to provide recommendations based on these findings.\nAs shown in Table 1, we reviewed selected C&A packages 3 from the National\nEnvironmental Satellite Data and Information Service (NESDIS) and National Ocean\nService (NOS).\n\n                         Table 1. OIG Review Coverage by NOAA Line Office\n\n               Line Office                                 System\n                                  Search and Rescue Satellite-aided Tracking\n               NESDIS\n                                  (SARSAT)\xe2\x80\x94NOAA 5023\n                                  Polar Orbiting Operational Environmental Satellite\n               NESDIS\n                                  Ground System (POES)\xe2\x80\x94NOAA 5026\n                                  Office of Response and Restoration Seattle Local Area\n               NOS\n                                  Network (Seattle LAN)\xe2\x80\x94NOAA 6702\n\nWe reviewed three NOAA C&A packages for our FY 2005 evaluation. 4 During the\ncourse of our review, we discussed questions that arose with appropriate NOAA officials.\n\nOur review criteria included:\n\n    \xe2\x80\xa2    Federal Information Security Management Act of 2002 (FISMA)\n\n    \xe2\x80\xa2    U.S. Department of Commerce, IT Security Program Policy and Minimum\n         Implementation Standards (January 2003 or June 2005 versions, as applicable)\n\n    \xe2\x80\xa2    U.S. Department of Commerce, System Security Plan Certification and\n         Accreditation Package (SSPCAP) Requirements Inspection Checklist, version 2,\n         June 30, 2003\n\n    \xe2\x80\xa2    OMB Circular A-130, Management of Federal Information Resources\n           o Appendix III, Security of Federal Automated Information Resources\n\n\n\n3\n  The Department\xe2\x80\x99s IT security policy defines a certification and accreditation package as a system security\nplan, risk assessment, contingency plan, incident response plan, configuration management plan, system\ninterconnection agreements, security assessment report, certification work plan, certification test plan,\ncertification test results, and a plan of action and milestones.\n4\n  Based on schedules provided by the Department\xe2\x80\x99s CIO Office, we expected 13 NOAA C&A packages to\nbe available by our cutoff date, but received only 3. We did not include one NOAA package made available\nbecause OIG staff had previously provided feedback during its preparation. Hence, we believe\nsubsequently evaluating it for FISMA compliance would be contrary to the requirement that our review be\nindependent. The Seattle LAN package was the most acceptable of four additional packages provided after\nour cutoff date and was thus chosen to add to our review sample for FISMA reporting.\n\n\n                                                     3\n\x0cU.S. Department of Commerce                                       Final Report OSE-18019\nOffice of Inspector General                                               September 2006\n\n   \xe2\x80\xa2   National Institute of Standards and Technology\xe2\x80\x99s (NIST\xe2\x80\x99s) Federal Information\n       Processing Standards (FIPS)\n          o Publication 199, Standards for Security Categorization of Federal\n              Information and Information Systems\n\n   \xe2\x80\xa2   NIST Special Publications:\n          o 800-18, Guide for Developing Security Plans for Information Technology\n             Systems\n          o 800-26, Security Self- Assessment Guide for Information Technology\n          o 800-30, Risk Management Guide for Information Technology Systems\n          o 800-37, Guide for the Security Certification and Accreditation of Federal\n             Information Systems\n          o 800-42, Guideline on Network Security Testing\n          o 800-53, Recommended Security Controls for Federal Information Systems\n          o 800-63, Electronic Authentication Guideline\n\n   \xe2\x80\xa2   Office of Management and Budget (OMB) Memoranda:\n          o M-05-15, FY 2005 Reporting Instructions for the Federal Information\n              Security Management Act and Agency Privacy Management\n\nWe conducted our evaluation in accordance with the Quality Standards for Inspections\nissued by the President\xe2\x80\x99s Council on Integrity and Efficiency in 2005 and under the\nauthority of the Inspector General Act of 1978, as amended. We conducted our review\nfrom August 2005 to December 2005.\n\n\n\n\n                                          4\n\x0cU.S. Department of Commerce                                                         Final Report OSE-18019\nOffice of Inspector General                                                                 September 2006\n\n                             FINDINGS AND RECOMMENDATIONS\n\nI.    NOAA Has Enhanced System Security Plans and Risk Assessments, but\n      Additional Improvements Are Needed\n\nSystem security plans provided a better basis for certification activities than plans we\nreviewed in FY 2004. In particular, we saw improvements in the descriptions of\naccreditation boundaries, software components, and interconnections. But NOAA should\nimprove identification of network components and obtain interconnection agreements,\nwhich are important for maintaining adequate security between systems. Risk\nassessments had also improved, providing a better identification of specific risks. Under\nthe evolving NIST standards and guidance, the role of risk assessments has changed; we\nprovide some comments on how they can be better utilized in the future.\n\nA. Security Plans Improved, but System Descriptions Need to Be More Accurate\n\nNOAA clearly delineated the major components of the accreditation boundary in its\nsecurity plans, but some network components within the boundary were not always\nidentified\xe2\x80\x94raising the possibility that certification efforts may not adequately examine\nsuch devices. (See box for Departmental direction on system descriptions.)\n\n                                                                   Vulnerability scanning performed\n     Describing the System Environment and                         during certification of POES,\n                 Interconnections                                  SARSAT, and the Seattle LAN\n The security plan provides information that is                    revealed network components not\n essential for determining the scope of security control           identified on the component listings in\n assessments and associating a security deficiency                 the systems\xe2\x80\x99 security plans. The\n identified during testing with a specific network                 security plan for the Seattle LAN\n component. In describing the system environment and\n interconnections the plan should include:                         listed 170 network components, but\n                                                                   NOAA\xe2\x80\x99s primary network scanning\n \xe2\x80\xa2 Detailed topology graphic that depicts system                   tool reported 140 components scanned\n   boundary and key components (e.g., perimeter                    and a supplementary network scanning\n   security devices, firewalls, routers, switches,                 tool identified 202 network\n   servers),\n                                                                   components. Scanning of the POES\n \xe2\x80\xa2 Complete listing of hardware and software                       network identified 11 components not\n   components, and                                                 documented in its component listing.\n                                                                   And five servers (i.e., key\n \xe2\x80\xa2 Discussion of interconnections with other (both                 components) identified in SARSAT\xe2\x80\x99s\n   untrusted and trusted) systems, referencing and                 scans were missing from the system\n   including copies of Memoranda of Understandings\n   (MOUs) and other agreements for provision of IT                 topology diagram.\n   security for the connections.\n Source: U.S. Department Of Commerce IT Security Program\n Policy And Minimum Implementation Standards, June 30, 2005, pp.\n 178\xe2\x80\x93179. Similar requirements were part of the System Security\n Plan Certification and Accreditation Package (SSPCAP)\n Requirements Inspection Checklist, version 2, June 30, 2003.\n\n\n\n\n                                                            5\n\x0cU.S. Department of Commerce                                           Final Report OSE-18019\nOffice of Inspector General                                                   September 2006\n\nThe component listing in the POES system security plan included identical names for\ndifferent network components, making it impossible to discern which components were\nactually tested.\n\nPOES and SARSAT lack interconnection agreements\n\nOur review of POES and SARSAT found that current interconnection agreements, as\nrequired by Appendix III to OMB Circular A-130, Security of Federal Automated\nInformation Resources and Department policy, were not in place. The system security\nplan for SARSAT described five network interconnections, but SARSAT\xe2\x80\x99s C&A\npackage included only a single, unsigned interconnection agreement with the Federal\nAviation Administration.\n\nLikewise, the POES system security plan indicated an interconnection agreement in place\nwith the National Aeronautics and Space Administration, but it was not provided with the\nC&A package. The POES C&A package did include a signed MOU with a contractor,\nbut the security plan indicated this particular interconnection agreement was \xe2\x80\x9cTBD\xe2\x80\x9d (to\nbe determined).\n\nIf not appropriately safeguarded, interconnections with other systems may lead to\nbreaches of security. Without formal interconnection agreements, there are insufficient\nmechanisms for enforcing security requirements between systems and as a result,\nincreased risks to the agency and agency operations.\n\nB. Risk Assessments Provided More Useful Information\n\nRisk assessments of SARSAT and POES ultimately identified specific risks and control\nrecommendations upon which system owners could take action. The lengthy assessments\nwere prepared by a NOAA contractor and considered a broad range of threats and\nvulnerabilities that were factored into an extensive matrix ranking system.\n\nWhile the assessments generally followed the NIST process, we found some faults at\nvarious steps in the process. Descriptions of many of the threats and vulnerabilities were\nvague or broad generalizations. In some cases, vulnerabilities were confused with threats\n(and vice versa) or consequences of vulnerability exploits. The sections describing\ncontrols did not consider how controls mitigated the likelihood of a particular adverse\nevent, as NIST guidance requires.\n\nHowever, the results summaries of both risk assessments identified system-specific\nvulnerabilities and included discussion of potential attacks and consequences. In most\ncases, recommendations for controls were made. Additionally, the results of technical\nvulnerability scans were included in the assessments. Although the scanning itself was\nvery limited (see Finding II), the vulnerabilities identified in the scans were analyzed,\nprioritized, and system patches or other remediation measures were suggested.\n\n\n\n\n                                             6\n\x0cU.S. Department of Commerce                                            Final Report OSE-18019\nOffice of Inspector General                                                    September 2006\n\nSeattle LAN Risk Assessment\n\nThe Seattle LAN risk assessment listed one vulnerability/threat-source pair for each\nNIST SP 800-53 control (i.e., one adverse event per control). But according to NIST\nguidance, the analytical method is to consider a vulnerability/threat-source pair and the\ncontrols (i.e., multiple) in place or planned that may mitigate the risk. By only\nconsidering one potential adverse event per control, the analysis was incomplete\xe2\x80\x94\nprecluding consideration of defense in depth, a security principle that advocates the\nlayering of controls to provide multiple defenses against various types of attacks.\nHowever, the assessment did summarize four risks and included a \xe2\x80\x9csafeguard\nimplementation plan\xe2\x80\x9d that prioritized the risks, outlined remediation efforts, and detailed\nresources required and dates.\n\nRisk assessments should focus on specific threats and vulnerabilities\n\nThe security categorization mandated by FIPS PUB 199 and corresponding minimum\ncontrols found in NIST SP 800-53 have changed the scope of risk assessments. The 800-\n53 security controls address the broader spectrum of threats and vulnerabilities that apply\nto all systems, including those pertaining to continuity of operations (which are also\naddressed in the system\xe2\x80\x99s contingency plan).\n\nTherefore, instead of considering all possible risks, NOAA risk assessments should focus\non specific threats, vulnerabilities, and relevant security controls. These assessments\nshould provide insight into the need for making changes to controls or control\nrequirements. More specifically, risk assessments, including any related cost-benefit\nanalysis, should be used as justification for tailoring the baseline of controls required by\nNIST SP 800-53 and for making resource-intensive changes to the security features of the\ninformation system.\n\nScoping guidance in NIST SP 800-53 describes risk-related considerations that may call\nfor adjusting the baseline of minimum controls (in many cases by adding controls).\nSpecific controls are listed as candidates for downgrading to a lower baseline. Doing so\nwould require the action be consistent with the confidentiality, integrity, and availability\nimpact levels of the system, and in many cases, be supported by a formal assessment of\nrisk.\n\nA security control assessment may reveal vulnerabilities that are easily corrected (e.g., by\ninstalling simple patches or updates) and others that require significant investment in time\nand resources to remedy. The former would need minimal analysis and should be quickly\nremedied. The more significant (particularly in terms of cost) vulnerabilities should be\nconsidered in the risk assessment, resulting in a statement of risk, recommendations for\nchanging or adding controls, and cost-benefit analysis as appropriate. The system owner\nand authorizing official can then decide which needed changes deserve priority over\nothers and guide resources accordingly.\n\n\n\n\n                                              7\n\x0cU.S. Department of Commerce                                           Final Report OSE-18019\nOffice of Inspector General                                                   September 2006\n\nRecommendations\n\nThe Deputy Undersecretary for Oceans and Atmosphere should direct appropriate\nmanagement officials to take the following actions for all C&A packages:\n\n1. Ensure that security plans provide a complete and accurate account of system\n   components.\n      a. Component listings should be comprehensive and consistent with results of\n          network scanning performed during certification testing.\n      b. Network topology diagrams should include all key components and be\n          consistent with network scan results.\n      c. Components should be uniquely identified so that certification activities can\n          be accurately performed and tracked.\n\n2. Ensure interconnection agreements or memoranda of understandings are obtained and\n   included in future C&A packages.\n\n3. Ensure risk assessments are used to tailor security control baselines and provide\n   analysis and justifications for resource-intensive changes to the security features of\n   the information system.\n\nNOAA\xe2\x80\x99s Response\n\nIn regards to our recommendation that component listings be comprehensive and\nconsistent with results of network scanning, NOAA agreed that security plans should\nprovide an accurate and comprehensive listing of components. However, the bureau\nargued that \xe2\x80\x9cperfect line-by-line consistency between a vulnerability scan and the\ncomponent listing, while desirable, is seldom achievable,\xe2\x80\x9d and provided two reasons why\ncomponents would not be scanned due to technical or operational circumstances:\n\n           \xe2\x80\xa2   If a device in the inventory is old or unique, it may be unknown to the\n               vulnerability scanner software.\n           \xe2\x80\xa2   A device in the inventory may be unavailable due to maintenance or\n               removal from the system during the scan. An example of this is a laptop\n               that is taken on travel.\n\nThe bureau stated that to ensure vulnerability scanning is as comprehensive as possible, it\nwould \xe2\x80\x9canalyze and explain identified discrepancies between component listings and\nvulnerability scans performed during certification testing.\xe2\x80\x9d NOAA agreed with the\nremainder of the recommendations related to this finding.\n\nOIG Comments\n\nWe concede NOAA\xe2\x80\x99s point that perfect line-by-line consistency between component\nlistings and scans is a difficult task. However, the reasons NOAA provided really\ndescribe two scenarios where the scans would not identify components included in the\n\n\n\n                                             8\n\x0cU.S. Department of Commerce                                           Final Report OSE-18019\nOffice of Inspector General                                                   September 2006\n\nsystem security plan. Our review also found the opposite: scans identified components\nthat were not included in the security plan, thus drawing into question the completeness\nof the system description. This is important because it raises the possibility that other\nrequired testing (beyond vulnerability scanning) will not be performed on devices\nomitted from the security plan, but which are, in fact, a part of the system. That said, we\nare satisfied with NOAA\xe2\x80\x99s intention to analyze and explain discrepancies between scans\nand component listings, so long as the outcome achieves an accurate depiction of the\nsystem and leads to comprehensive certification testing.\n\n\n\n\n                                             9\n\x0cU.S. Department of Commerce                                                        Final Report OSE-18019\nOffice of Inspector General                                                                September 2006\n\nII.   Security Control Assessments Were Not Sufficient for Effective Certification\n\nNOAA did not comprehensively scan the components of its systems or properly analyze\nthe results of scans. Unknown vulnerabilities likely exist while those identified were not\nproperly evaluated for possible corrective actions. NOAA also did not perform adequate\nassessments of management, operational, and technical security controls. As a result,\nauthorizing officials lacked sufficient information for making sound accreditation\ndecisions.\n\nA. Vulnerability Scanning Was Incomplete and Ineffective\n\nVulnerability scans of both the POES and SARSAT systems failed to examine many\nnetwork components. The Seattle LAN was extensively scanned, but vulnerabilities were\nnot analyzed prior to accreditation.\n\nScanning of POES was limited to only four components, but the C&A package did not\nexplain why. In follow-up discussions with NESDIS\xe2\x80\x99s IT security officer, we learned the\ncertification team had not attempted to correct issues that limited scanning. No\ncomponents residing on the operational network were scanned. Four components were\nsuccessfully scanned on the development network, but 10 others were not.\n\nThe SARSAT C&A package did not define the scope of scanning and provided only a\nsummary of results. Our discussions with NOAA revealed that only workstations and\nservers were scanned, not firewalls, routers, or switches\xe2\x80\x94key components that provide\nessential security services. The scans performed were analyzed and documented in the\nrisk assessments, but since not all network components were scanned, unknown\nvulnerabilities likely exist.\n\nAdditional scanning of POES and SARSAT also was inadequate\n\nAfter we discussed our findings that certification scanning was incomplete, NOAA\nacknowledged the problem and conducted additional scanning on POES and SARSAT.\nUnfortunately, the additional POES scans were incomplete as well. None of the network\ncomponents located at NOAA\xe2\x80\x99s Fairbanks or Wallops installations were scanned. At\nNOAA\xe2\x80\x99s Satellite Operations Control Center in Suitland, Maryland, only the operational\nnetwork components within three of seven subnets 5 were scanned.\n\nAdditional SARSAT scans included all network components except the five remote local\nuser terminal 6 subnets located in Hawaii, Guam, California, Florida, and Alaska.\nAccording to NOAA officials, these subnets were not tested because they could not be\nscanned remotely, and the certification test team would have to conduct the vulnerability\nscanning on-site.\n\n5\n  A subnet is an identifiably separate part of an organization's network. Typically, a subnet may represent\nall the machines at one geographic location, in one building, or on the same local area network.\n6\n  Local user terminals receive 406 MHz distress signals detected by satellites.\n\n\n\n                                                     10\n\x0cU.S. Department of Commerce                                          Final Report OSE-18019\nOffice of Inspector General                                                  September 2006\n\n\nNOAA officials said they made a risk-based decision that scanning the remote subnets\nwould not be cost effective, but that was not explained in the C&A package, and this lack\nof vulnerability scanning was not identified as a remaining vulnerability to the\nauthorizing official. Because SARSAT is a high impact system, NOAA should develop a\nstrategy to scan all remote network components in future testing.\n\nThe results of the additional scans of both POES and SARSAT were not analyzed or\naddressed in the C&A package, leaving the authorizing official with insufficient\ninformation on remaining vulnerabilities.\n\nNOAA\xe2\x80\x99s primary scanning tool was unable to evaluate many of the network components\n\nNOAA requires vulnerability scanning to be done using a particular scanning tool that\ndid not consistently complete testing. The scanning tool identified 140 network\ncomponents of the Seattle LAN, but only 63 were successfully scanned; so more than 50\npercent of the network components could not be fully assessed for vulnerabilities. As\npreviously noted, POES vulnerability scanning could only assess 4 of the 14 components\non its development network during certification testing. NOAA did not provide\ninformation regarding the tool\xe2\x80\x99s success rate scanning SARSAT.\n\nWe also noted this irregularity in the quarterly vulnerability scans performed on NOAA\nsystems during our FY 2005 assessment of annual testing of security controls. For\nexample, we found that for the National Centers for Coastal Ocean Science Headquarters\nSupport System, the scanning tool identified 237 network components but only 122 were\nfully scanned. Vulnerability scanning of all network components is necessary to identify\nand eliminate vulnerabilities.\n\nIf NOAA\xe2\x80\x99s scanning tool cannot scan all network components of a system, other\nscanning tools should be used to ensure complete coverage. Department policy and NIST\nSP 800-42, Guideline on Network Security Testing, recommend that more than one\nscanning tool be used as a matter of practice, since no one scanner can reliably detect all\nvulnerabilities.\n\nPotentially serious vulnerabilities on the Seattle LAN were not analyzed or corrected\n\nNOAA did use an additional scanning tool and a tool that identifies web application\nvulnerabilities on the Seattle LAN to supplement its primary tool. The additional tools\nprovided more thorough testing. (See Table 2 for the total number of vulnerabilities\nfound by each scanning tool.) However, the Seattle LAN\xe2\x80\x99s C&A package noted that\nmedium and low risk vulnerabilities detected by the primary and supplementary scanning\ntools were considered acceptable and required no further analysis or mitigation. Only\nhigh risk vulnerabilities required evaluation and possible mitigation. However, high risk\nvulnerabilities were not evaluated or corrected prior to the accreditation decision, and\nthey were not identified to the authorizing official as remaining vulnerabilities.\n\n\n\n\n                                            11\n\x0cU.S. Department of Commerce                                          Final Report OSE-18019\nOffice of Inspector General                                                  September 2006\n\n  Table 2. Number of Vulnerabilities Identified by Risk Level and Scanning Tool\n                                 (Seattle LAN)\n\n                                                      Risk Level and Number\n                Scanning Tool\n                                                      of Vulnerabilities Found\n                                                   High       Medium         Low\n           Primary Scanning Tool                     0            107           149\n       Supplementary Scanning Tool                  59            218            79\n      Web Application Scanning Tool                  8             35           677\n\nDocumentation for NOAA\xe2\x80\x99s primary scanning tool states that medium vulnerabilities\n\xe2\x80\x9cprovide access to sensitive data\xe2\x80\x9d and low vulnerabilities \xe2\x80\x9cmay be used for information\ngathering\xe2\x80\xa6which could lead to higher risk levels.\xe2\x80\x9d Also, the supplementary scanning\ntool\xe2\x80\x99s documentation states that medium vulnerabilities \xe2\x80\x9care serious security threats that\nwould allow a trusted but non-privileged user to assume complete control of a host, or\nwould permit an untrusted user to disrupt service or gain access to sensitive information,\xe2\x80\x9d\nand low vulnerabilities \xe2\x80\x9cmay provide an attacker with information that could be\ncombined with other, higher-risk vulnerabilities, in order to compromise the host or its\nusers.\xe2\x80\x9d\n\nThe Seattle LAN\xe2\x80\x99s C&A package provided a brief analysis of vulnerabilities reported by\nthe supplementary web application scanning tool and says the information was provided\nto the system administrators to determine resolution and possible mitigation. The\nvulnerabilities were not corrected prior to the accreditation decision, but they were\nincluded in the Plan of Action and Milestone (POA&M) that covered all risks accepted\nby the authorizing official. However, the POA&M entries were not sufficient to\nadequately describe the nature of the risks discovered by the scans\xe2\x80\x94something that\nwould be more appropriately documented in the security assessment report.\n\nRequired penetration testing was not performed on POES and SARSAT\n\nNOAA officials stated that penetration testing, required by Department policy for high-\nimpact systems, would be completed as part of the certification and accreditation process,\nBut neither the POES nor SARSAT systems had penetration tests prior to accreditation.\nNIST SP 800-42 states that penetration testing is important because it can provide an\nindication of how vulnerable an organization\xe2\x80\x99s network is and the level of damage that\ncan result if the network is compromised.\n\nIn late September 2005, about 3 months after accreditation, NOAA provided OIG with a\ndraft penetration test report for POES. A discussion with the NESDIS IT security officer\nconfirmed our conclusion that only simple vulnerability scanning had been performed,\nsince the report provided no evidence of any attempts to exploit vulnerabilities.\n\n\n\n\n                                            12\n\x0cU.S. Department of Commerce                                         Final Report OSE-18019\nOffice of Inspector General                                                 September 2006\n\n\n\nB. Security Control Assessments Did Not Provide Evidence of Effective Management,\n   Operational, and Technical Controls\n\nPOES, SARSAT, and the Seattle LAN control assessments were incomplete, covering\nonly a subset of the minimum security controls described in NIST guidance. Generally,\nthe C&A packages did not include specific procedures for evaluating the controls or\nadequate documentation of the results. We reviewed the assessments of management and\noperational controls, but focused on technical control assessments.\n\nIneffective SARSAT and POES control assessments\n\nSecurity control assessments considered only a subset of minimum required controls\nfrom NIST SP 800-53 or 800-26, but included some additional controls specified by\nNOAA\xe2\x80\x99s IT security office. However, the combined number of management, operational,\nand technical controls evaluated was less than 66 percent of the controls specified in\neither NIST SP 800-53 or 800-26, and the majority of those assessed were technical\ncontrols, with little attention to management and operational controls.\n\nThe procedures used to verify the effectiveness of controls were not defined in more than\n60 percent of the assessment cases. And assessment results lacked enough detail to gauge\nthe adequacy of control testing or the effectiveness of the controls.\n\nSARSAT\xe2\x80\x99s technical control assessment was barely adequate for certification and\nunknown vulnerabilities that could be exploited may exist. Only a small sample of\nnetwork components was evaluated, but the sample did include the primary domain\ncontroller that enforces security policy for a significant portion of the system. NOAA\nassessed the technical controls on 10 of 82 Windows network components and 1of 8\nfirewall device components. Servers and workstations within SARSAT run 9 variants, or\ntypes, of Windows operating systems. However, components for which technical controls\nwere assessed ran only 4 of these 9 Windows operating system types.,\n\nControls in routers and switches were not examined. And multiple modems located\nwithin the secure boundary\xe2\x80\x94which are access points into the system\xe2\x80\x94were not tested\nfor authentication and session security. These controls would normally enforce the\nDepartment policy that passwords and data must be encrypted when transmitted over the\nInternet or via dial-up connections.\n\nResults of control assessments were provided in SARSAT\xe2\x80\x99s C&A package, but some\nwere incomplete or did not include enough information to determine completeness. For\nexample, some controls were identified as \xe2\x80\x9cpassed\xe2\x80\x9d without providing specific results.\nOthers were identified as \xe2\x80\x9cfailed,\xe2\x80\x9d but only included results from some of the procedures\n(multiple procedures are sometimes required to assess a single control).\n\nPOES technical control assessment applied the same approach used by SARSAT and was\nlikewise inadequate. Technical control testing was done on only 10 of the 81 Windows\nnetwork components, and it was unclear if the 4 variants of the Windows operating\n\n\n                                           13\n\x0cU.S. Department of Commerce                                         Final Report OSE-18019\nOffice of Inspector General                                                 September 2006\n\nsystems were tested. As previously mentioned, the lack of unique names for POES\nnetwork components made it impossible to know which network components were\nactually tested. In addition, no routers or switches were tested.\n\nMinimal Seattle LAN control assessment\n\nThe security control assessment of the Seattle LAN evaluated only a subset of the\nmanagement, operational, and technical controls required by NIST SP 800-53 for a\nmoderate-impact system. The C&A package included little information about assessment\nactivities, and no assessment procedures were defined for any of the controls. Only 22\npercent of the controls were identified as assessed, and the results were not provided.\nInstead, there was only an indication that a given control existed.\n\nNOAA also did not evaluate a sufficient number of components for effective technical\ncontrols assessment. The Seattle LAN system inventory identifies 8 servers running 3\nvariants of the Windows operating system, 128 workstations and laptops running 3\nvariants of the Windows operating system, 2 variants of the Macintosh operating system,\nand 1 Linux operating system. However, only 2 network components\xe2\x80\x94a single server\nand workstation\xe2\x80\x94of the 136 servers and workstations were tested, and no technical\ncontrol assessment was done on routers or switches. However, the server evaluated was\nthe primary domain controller, which provides essential security services for the network.\n\nComprehensive approach needed to select components for technical control assessments\n\nThe approach used to select network components for SARSAT, POES, and the Seattle\nLAN did not provide for complete testing of all operating system variants running on the\nservers, workstations, laptops, routers, and switches.\n\nC&A packages for both SARSAT and POES noted that a representative sample of\nnetwork components had been selected for certification testing. However, 5 of 9\noperating system variants were not tested for SARSAT, and it was unclear which variants\nwere not tested for POES.\n\nSeven of nine operating system variants running on the Seattle LAN were not tested.\nConsequently, the effectiveness of the technical controls operating on the network\ncomponents of these systems was unknown at the time of accreditation.\n\nBecause of technical differences in operating system variants, each should be tested to\nensure that technical controls are implemented correctly and operating as intended. A\nsampling approach would be effective in cases where multiple network components run\nthe same operating system and where each component\xe2\x80\x99s operating system is identically\nconfigured. In that case, the certification agent should ensure that each uniquely\nconfigured operating system variant is tested and provide the rationale for component\nselection in the C&A package.\n\n\n\n\n                                           14\n\x0cU.S. Department of Commerce                                         Final Report OSE-18019\nOffice of Inspector General                                                 September 2006\n\nRecommendations\n\nThe Deputy Undersecretary for Oceans and Atmosphere should direct appropriate\nmanagement officials to take the following actions:\n\n1. Ensure comprehensive vulnerability scanning.\n      a. Determine whether NOAA\xe2\x80\x99s primary network scanner is capable of scanning\n          all network components.\n      b. If not, utilize an additional scanner to permit complete scanning.\n\n2. Analyze and document vulnerability scan results, and take action to correct\n   vulnerabilities.\n\n3. Develop and implement a plan and schedule for conducting penetration testing on all\n   high-impact systems.\n\n4. Comprehensively test management, operational, and technical controls. Develop\n   procedures to evaluate the controls and document test results.\n\n5. Perform technical control tests on components of each uniquely configured operating\n   system variant.\n\n6. Clearly document remaining vulnerabilities in every system so authorizing officials\n   can make credible risk-based decisions on whether or not to accredit the system.\n\nNOAA\xe2\x80\x99s Response\n\nNOAA recommended one factual change pertaining to the vulnerabilities discovered by\nscans of the Seattle LAN. The bureau suggested we change one sentence to reflect the\nfact that the vulnerabilities were addressed on the system\xe2\x80\x99s Plan of Action and Milestones\n(POA&M) \xe2\x80\x9cthat covered all risks accepted by the authorizing official.\xe2\x80\x9d It noted that the\nPOA&M entries, \xe2\x80\x9cgenerally stated that vulnerabilities were discovered by scanners and\nneeded correcting and/or mitigating.\xe2\x80\x9d\n\nNOAA took exception with our recommendation pertaining to the sampling approach\nused to test systems (number 5 above), based on the bureau\xe2\x80\x99s interpretation of the\nrecommendation to be more exhaustive than we had intended. The bureau suggested we\nchange the wording of the recommendation by replacing the word \xe2\x80\x9cidentically\xe2\x80\x9d with\n\xe2\x80\x9cuniquely.\xe2\x80\x9d NOAA agreed with the remaining recommendations.\n\nOIG Comments\n\nIn regards to the scan results for the Seattle LAN, we have changed the sentence (now on\npage 12) according to NOAA\xe2\x80\x99s suggestion. However, we have also added a sentence\nindicating that the POA&M entries, which were general statements that vulnerabilities\n\n\n\n\n                                           15\n\x0cU.S. Department of Commerce                                          Final Report OSE-18019\nOffice of Inspector General                                                  September 2006\n\nwere discovered by scans, were not sufficient to describe the nature of the risks found by\nthe scans and that such is more appropriately described in the security assessment report.\n\nWith respect to our recommendation pertaining to the sampling approach used to test\nsystems, we have changed the wording according to NOAA\xe2\x80\x99s suggestion.\n\n\n\n\n                                            16\n\x0cU.S. Department of Commerce                           Final Report OSE-18019\nOffice of Inspector General                                   September 2006\n\n                          APPENDIX: NOAA\xe2\x80\x99S RESPONSE\n\n\n\n\n                                     17\n\x0c\x0c\x0c\x0c\x0c2\n\x0c"